VIPRION Systems: Configuration. Version 11.2

Transcription

1 VIPRION Systems: Configuration Version 11.2

2

3 Table of Contents Table of Contents Legal Notices...5 Acknowledgments...7 Chapter 1: VIPRION Overview...9 VIPRION overview...10 VIPRION features...10 Related documents...11 Chapter 2: Initial VIPRION Setup...13 Overview: Initial VIPRION setup...14 VIPRION deployment worksheet...14 Activating the BIG-IP license for VIPRION...14 Creating trunks...15 Creating VLANs...15 Creating self IP addresses for VLANs...16 Overview: Verifying initial VIPRION configuration...17 Creating a pool to manage HTTP traffic...17 Creating a virtual server to manage HTTP traffic...17 Chapter 3: Create an Active-Standby Configuration...19 Overview: Creating an active-standby DSC configuration...20 About DSC configuration on a VIPRION system...20 Task summary...21 DSC prerequisite worksheet...21 Specifying an IP address for config sync...22 Specifying IP addresses for connection mirroring...23 Establishing device trust...23 Creating a Sync-Failover device group...24 Syncing the BIG-IP configuration to the device group...24 Specifying IP addresses for failover...24 Syncing the BIG-IP configuration to the device group...25 Implementation result...25 Chapter 4: Understanding Clusters...27 Cluster overview...28 Viewing cluster properties...28 Cluster properties

4 Table of Contents Viewing cluster member properties...29 Cluster member properties...29 Enabling and disabling cluster members...30 Changing a cluster-related management IP address...30 Cluster-related IP addresses

5 Legal Notices Publication Date This document was published on September 28, Publication Number MAN Copyright Copyright 2012, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks 3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iapps, icontrol, ihealth, iquery, irules, irules OnDemand, isession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, Scale N, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vcmp, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and

6 Legal Notices can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 6

7 Acknowledgments This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler which is protected under the GNU Public License.

8 Acknowledgments This product includes software developed by Niels Mueller which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project ( This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker ( and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation ( This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. ( This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. 8

9 Chapter 1 VIPRION Overview Topics: VIPRION overview VIPRION features Related documents

10 VIPRION Overview VIPRION overview The VIPRION system is a complete traffic management solution that offers high performance, reliability, scalability, and ease of management. Based on chassis and blade technology, this system is designed to meet the needs of large, enterprise networking environments that normally require multiple BIG-IP systems to process large volumes of application traffic. The VIPRION system consists of a chassis with a four-blade capacity. The four blades work together as a powerful system to process application traffic. Traffic comes into a single virtual server, and the system distributes that traffic over multiple blades, using the full multi-processing capacity of each blade. Moreover, if a blade unexpectedly becomes unavailable, another blade can complete the processing of the request. VIPRION features This table describes the VIPRION system features. Feature A chassis with blades Cluster technology Description The multi-slot chassis significantly reduces the amount of rack space required for the BIG-IP systems by housing blades instead of traditional switch systems. Hardware resources such as cooling and power systems, normally required for individual BIG-IP systems, are now part of the chassis instead. The VIPRION system's SuperVIP cluster technology is the core feature that coordinates all of the blades into a single high-performance system. A SuperVIP cluster is the group of slots in the VIPRION system chassis. Each slot in the cluster represents a cluster member, and any blades that you insert into the slots of a cluster work together to process application traffic. Cluster technology provides 10

11 VIPRION Systems: Configuration Feature Live installation Cluster synchronization Connection mirroring Description the processing power of multiple blades, but you manage the entire cluster as a single system. When you upgrade the BIG-IP software on a running system, the system automatically upgrades the BIG-IP software on all blades in the cluster. The primary blade automatically propagates the system configuration to all secondary blades, even when a new blade is introduced into the cluster. Connection mirroring ensures that if a blade, or a cluster within a device service clustering (redundant system) configuration, becomes unavailable, the system can still process any existing connections. Related documents You may find it useful to have an understanding of certain background concepts before performing VIPRION configuration tasks. For more information about configuring required BIG-IP network objects (trunks, VLANs, and self IP addresses), refer to the BIG-IP TMOS : Concepts Guide. For more information about configuring the BIG-IP system (or vcmp guests) to manage local area network traffic (concepts pertaining to virtual servers, various types of traffic profiles, load balancing pools and pool members, and so on) refer to the BIG-IP Local Traffic Manager: Concepts Guide. These product guides are available from the AskF5 Knowledge Base web site, 11

12 VIPRION Overview 12

13 Chapter 2 Initial VIPRION Setup Topics: Overview: Initial VIPRION setup Overview: Verifying initial VIPRION configuration

14 Initial VIPRION Setup Overview: Initial VIPRION setup To set up a newly installed VIPRION chassis, you configure a number of BIG-IP system objects. First trunks (external and internal), then VLANs (external, internal, and high availability), and finally, self IP addresses. This illustration depicts a VIPRION chassis configured with a single active blade. Task summary VIPRION deployment worksheet There are a number of points during the VIPRION deployment process at which you will need to make decisions or provide values. Use this table as a prompt for gathering the answers and values you will need, so that you can provide them when performing the initial setup. Configuration component External gateway address FQDN Link aggregation control protocol Network mask Primary cluster IP address User role Considerations What is the gateway address (next hop) for external traffic? What is the fully-qualified domain name (FQDN) for your BIG-IP system? Do your trunks require LACP mode? What is the network mask? What is the primary cluster IP address? The management IP address assigned to the chassis' primary cluster during chassis installation is used to access the VIPRION. Do you have a user role of Administrator? You need to have a user role of Administrator to perform the tasks in this process. Activating the BIG-IP license for VIPRION To activate the BIG-IP license, you need access to a browser and the base registration key. The base registration key is a character string that the license server uses to verify the type and number of F5 Networks products that you are entitled to license. If you do not have a base registration key, contact the F5 Networks sales group ( You activate the BIG-IP license from the Setup Utility License screen. 14

15 VIPRION Systems: Configuration 1. From a workstation attached to the network on which you configured the management interface, use a browser and type the following URL syntax where <management_ip_address> is the address you configured for device management: 2. At the prompts, type the user name admin and the password admin. 3. Click Log in. The Setup Utility screen opens. 4. Click Activate. The License screen opens. 5. In the Base Registration Key field, paste your base registration key. 6. Click Next. The End User License Agreement (EULA) displays. 7. Review the EULA. When you click Accept, the Platform screen opens. Creating trunks To configure trunks for the VIPRION system, the four external interfaces must be cabled to your Internet gateway, external bridge, or vendor switch. The first objects you configure are trunks that tie the internal and external vendor switch interfaces to the corresponding VIPRION interfaces. 1. Use a browser to log in to the VIPRION chassis's management IP address. This logs you in to the floating IP address for the cluster. 2. On the peer (vendor) switch on the external network, create a trunk that includes the four external interfaces to which you have physically connected the external interfaces of the four blades. If the peer switch is configured to use Link Aggregation Control Protocol (LACP), you must enable LACP. 3. Create a trunk, and if the peer switch is configured to use LACP, enable LACP on the new trunk: a) On the Main tab, expand Network, and click Trunks. The Trunks screen opens. b) At the upper right corner of the screen, click Create. The New Trunk screen opens. c) Assign the name trunk_ext, and assign an external interface of blade 1 to the trunk. d) Enable LACP mode, if required. e) Click Finished. 4. Repeat the previous step, but this time, configure a trunk that ties the vendor switch internal interface to the VIPRION internal interface. Assign the name trunk_int. Creating VLANs VLANs associate with your trunks. 1. Use a browser to log in to the VIPRION chassis's management IP address. This logs you in to the floating IP address for the cluster. 2. On the Main tab, expand Network, and click VLANs. The VLANs screen opens. 15

16 Initial VIPRION Setup 3. Click Create. The New VLAN screen opens. 4. Configure a VLAN named external, and assign it to the trunk named trunk_ex as an untagged interface. 5. Click Finished. 6. Repeat the last three steps, but this time, configure a VLAN named internal, and assign it to the trunk named trunk_int. 7. Repeat steps 3 through 5 one more time, but this time, configure a VLAN named HA, assign it to the trunk named trunk_int as a tagged interface. Creating self IP addresses for VLANs You need at least one VLAN or VLAN group configured before you create a self IP address. Self IP addresses enable the BIG-IP system, and other devices on the network, to route application traffic through the associated VLAN or VLAN group. Repeat the steps in this task for each VLAN. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the Name field, type a unique name that readily identifies the VLAN to which it will associate for the self IP. Name the self IP for the internal VLAN Internal, name the external VLAN External, and name the HA VLAN HA. 4. In the IP Address field, type an IP address. This IP address must be within the address space that corresponds to the VLAN for which it is created (Internal, External or HA). The system accepts IP addresses in both the IPv4 and IPv6 formats. 5. In the Netmask field, type the network mask for the specified IP address. 6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address: For the internal network, select the VLAN that is associated with an internal interface or trunk. For the external network, select the VLAN that is associated with an external interface or trunk. For the HA network, select the VLAN that is associated with an internal interface or trunk. 7. From the Port Lockdown list, select Allow Default. 8. Repeat the last 4 steps, but this time specify an address from your external network in step 4 and select the VLAN named external in step Repeat steps 3 through 7 one more time, but this time specify an address on your internal network in step 4 and select the VLAN named HA in step Click Finished. The screen refreshes, and displays the new self IP address in the list. The BIG-IP system can send and receive traffic through the specified VLAN or VLAN group. 16

17 VIPRION Systems: Configuration Overview: Verifying initial VIPRION configuration Verifying your VIPRION configuration confirms that the setup performed up to this point is functioning properly. Once you establish that the VIPRION configuration is correct, you will likely need to create a profile, pools, and virtual server that are tailored to your network topology before you can begin processing LTM traffic. Creating a pool to manage HTTP traffic You can create a pool to manage HTTP connections. 1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens. 2. Click Create. The New Pool screen opens. 3. In the Name field, type a unique name for the pool. 4. For the Health Monitors setting, from the Available list, select the http monitor, and click << to move the monitor to the Active list. 5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin. 6. For the Priority Group Activation setting, specify how to handle priority groups: Select Disabled to disable priority groups. This is the default option. Select Less than, and in the Available Members field, type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group. 7. Using the New Members setting, add each resource that you want to include in the pool: a) Type an IP address in the Address field, or select a node address from the Node List. b) Type 80 in the Service Port field, or select HTTP from the list. c) (Optional) Type a priority number in the Priority field. d) Click Add. 8. Click Finished. The new pool appears in the Pools list. Creating a virtual server to manage HTTP traffic You can create a virtual server to manage HTTP traffic as either a host virtual server or a network virtual server. 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers. 2. Click the Create button. The New Virtual Server screen opens. 3. In the Name field, type a unique name for the virtual server. 17

18 Initial VIPRION Setup 4. Specify the Destination setting, using the Address field; type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network. 5. In the Service Port field, type 80, or select HTTP from the list. 6. From the HTTP Profile list, select http. 7. In the Resources area of the screen, from the Default Pool list, select a pool name. 8. Click Finished. The HTTP virtual server appears in the list of existing virtual servers on the Virtual Server List screen. 18

19 Chapter 3 Create an Active-Standby Configuration Topics: Overview: Creating an active-standby DSC configuration Task summary Implementation result

20 Create an Active-Standby Configuration Overview: Creating an active-standby DSC configuration The most common TMOS device service clustering (DSC ) implementation is an active-standby configuration, where a single traffic group is active on one of the devices in the device group and is in a standby state on a peer device. If failover occurs, the standby traffic group on the peer device becomes active and begins processing the application traffic. To implement this DSC implementation, you can create a Sync-Failover device group. A Sync-Failover device group with two members and one traffic group provides configuration synchronization and device failover. If the device with the active traffic group goes offline, the traffic group becomes active on the peer device, and application processing is handled by that device. About DSC configuration on a VIPRION system The way you configure device service clustering (DSC) on a VIPRION system varies depending on whether the system is provisioned to run the vcmp feature. For non-vcmp systems On a VIPRION system that is not provisioned for vcmp, the management IP address that you specify for establishing device trust and enabling failover should be the system's primary cluster IP address. This is a floating management IP address. For vcmp systems On a vcmp system, the devices in a device group are virtual devices, known as vcmp guests. You configure config sync and failover to occur between equivalent vcmp guests in separate chassis. For example, if you have a pair of VIPRION systems running vcmp, and each system has three vcmp guests, you can create a separate device group for each pair of equivalent guests. The Table shows an example. Table 1: Sample device groups for two VIPRION systems with vcmp Device groups for vcmp Device-Group-A Device-Group-B Device-Group-C Device group members Guest1 on chassis1 Guest1 on chassis2 Guest2 on chassis1 Guest2 on chassis2 Guest3 on chassis1 Guest3 on chassis2 By isolating guests into separate device groups, you ensure that each guest synchronizes and fails over to its equivalent guest. 20

21 VIPRION Systems: Configuration The self IP addresses that you specify per guest for config sync and failover should be the self IP addresses that you previously configured on the guest (not the host). Similarly, the management IP address that you specify per guest for device trust and failover should be the cluster IP address of the guest. Task summary Use the tasks in this implementation to create a device group that syncs the BIG-IP configuration to the peer device and provides failover capability if the peer device goes offline. Note that on a vcmp system, the devices in a specific device group are vcmp guests, one per chassis. Task summary DSC prerequisite worksheet Before you set up device service clustering (DSC ), you must configure these BIG-IP components on each device that you intend to include in the device group. Configuration component Hardware, licensing, and provisioning BIG-IP software version Management IP addresses FQDN User name and password root folder properties VLANs Considerations Devices in a device group must match as closely as possible with respect to hardware platform, product licensing, and module provisioning. If you want to configure mirroring, ensure that the hardware platforms of the mirrored devices match. Each device must be running BIG-IP version 11.x. This ensures successful configuration synchronization. Each device must have a management IP address, a network mask, and a management route defined. Each device must have a fully-qualified domain name (FQDN) as its host name. Each device must have a user name and password defined on it that you will use when logging in to the BIG-IP Configuration utility. The platform properties for the root folder must be set correctly (Sync-Failover and traffic-group-1). For non-vcmp systems, you must create these VLANs on each device if you have not already done so: A VLAN for the internal network, named internal A VLAN for the external network, named external A VLAN for failover communications, named HA Self IP addresses For vcmp systems, you must create these VLANs on the vcmp host pertaining to each guest that is to be included in a device group, if you have not already done so. For non-vcmp systems, you must create these self IP addresses on each device if you have not already done so: Two self IP addresses (floating and non-floating) on the same subnet for VLAN internal. 21

22 Create an Active-Standby Configuration Configuration component Considerations Two self IP addresses (floating and non-floating) on the same subnet for VLAN external. A non-floating self IP address on the internal subnet for VLAN HA. For vcmp systems, you must create these self IP addresses on each vcmp guest that is to be included in a device group if you have not already done so. Note: When you create self IP addresses, they are floating addresses by default because the BIG-IP system automatically adds the addresses to the default floating traffic group, traffic-group-1. To create non-floating self IP addresses, you must explicitly change the value of the Traffic Group setting on the Self IP Create screen to traffic-group-local-only. Port lockdown Application-related objects Time synchronization Device certificates For self IP addresses that you create on each device, you should verify that the Port Lockdown setting is set to Allow All, All Default, or Allow Custom. Do not specify None. You must create any virtual IP addresses and, optionally, SNAT translation addresses, as part of BIG-IP Local Traffic Manager configuration. You must also configure any iapps application services if they are required for your application. When you create these addresses or services, the objects automatically become members of the default traffic group, traffic-group-1. The times set by the NTP service on all devices must be synchronized. This is a requirement for configuration synchronization to operate successfully. Verify that each device includes an x509 device certificate. Devices with device certificates can authenticate and therefore trust one another, which is a prerequisite for device-to-device communication and data exchange. Specifying an IP address for config sync Before configuring the config sync address, verify that all devices in the device group are running the same version of BIG-IP system software. This task identifies the IP address that devices in the device group will use to synchronize their configuration objects. Use the BIG-IP Configuration utility to set up config sync. Important: You must perform this task on each device in the device group. 1. Confirm that you are logged in to the actual device you want to configure. 2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device. 3. In the Name column, click the name of the device to which you are currently logged in. 4. From the Device Connectivity menu, choose ConfigSync. 5. For the Local Address setting, retain the displayed IP address or select another address from the list. F5 Networks recommends that you use the default value, which is the self IP address for VLAN internal. This address must be a non-floating self IP address and not a management IP address. 6. Click Update. 22

23 VIPRION Systems: Configuration Specifying IP addresses for connection mirroring Before configuring mirroring addresses, verify that the mirroring peers have the same hardware platform. This task configures connection mirroring between two devices to ensure that in-process connections are not dropped when failover occurs. You can mirror connections between a maximum of two devices in a device group. Important: You must perform this task on each device in the device group. 1. Confirm that you are logged in to the actual device you want to configure. 2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device. 3. In the Name column, click the name of the device to which you are currently logged in. 4. From the Device Connectivity menu, choose Mirroring. 5. For the Primary Local Mirror Address setting, retain the displayed IP address or select another address from the list. The recommended IP address is the self IP address for either VLAN HA or VLAN internal. 6. For the Secondary Local Mirror Address setting, retain the default value of None, or select an address from the list. This setting is optional. The system uses the selected IP address in the event that the primary mirroring address becomes unavailable. 7. Click Update. Establishing device trust Verify that each BIG-IP device that is to be part of a local trust domain has a device certificate installed on it. This task establishes a local trust domain between the local device (that is, the device you are logged in to) and devices you specify during the process. A local trust domain is any number of BIG-IP devices that have a trust relationship with one another. Perform this task on any one of the BIG-IP devices that will be in the same device group. 1. On the Main tab, click Device Management/Device Trust, and then either Peer List or Subordinate List. 2. In the Peer Authority Devices or the Subordinate Non-Authority Devices area of the screen, click Add. 3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP device. This IP address can be either a management IP address or a self IP address. 4. Click Retrieve Device Information. 5. Verify that the certificate of the remote device is correct. 6. Verify that the name of the remote device is correct. 7. Verify that the management IP address and name of the remote device are correct. 8. Click Finished. 23

24 Create an Active-Standby Configuration Creating a Sync-Failover device group This task establishes failover capability between two BIG-IP devices. If the active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You can perform this task on any authority device within the local trust domain. 1. On the Main tab, click Device Management > Device Groups. The Device Groups screen displays a list of existing device groups. 2. On the Device Group List screen, click Create. 3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group. 4. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the Selected list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only. 5. For Network Failover, select the Enabled check box. 6. Click Finished. You now have a Sync-Failover device group containing two BIG-IP devices as members. Syncing the BIG-IP configuration to the device group Before starting this task, verify that all devices targeted for ConfigSync are members of a device group and that device trust has been established. This task synchronizes the BIG-IP configuration data from the local device to all devices in the group. This synchronization ensures that the entire redundant system configuration operates properly within the device group. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only. Important: Perform the following procedure on only one of the two devices. 1. On the Main tab, click Device Management > Device Groups. The Device Groups screen displays a list of existing device groups. 2. In the Group Name column, click the name of the relevant device group. 3. On the menu bar, click ConfigSync. 4. Click Synchronize To Group. Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group. Specifying IP addresses for failover This task specifies the local IP addresses that you want other devices in the device group to use for failover communications with the local device. You must perform this task on each device in the device group. Note: The failover addresses that you specify must belong to route domain 0. 24

25 VIPRION Systems: Configuration 1. Confirm that you are logged in to the actual device you want to configure. 2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device. 3. In the Name column, click the name of the device to which you are currently logged in. 4. From the Device Connectivity menu, choose Failover. 5. For the Failover Unicast Configuration settings, retain the displayed IP addresses. You can also click Add to specify additional IP addresses that the system can use for failover communications. F5 Networks recommends that you use the self IP address assigned to the HA VLAN. 6. If the BIG-IP system is running on a VIPRION platform, then for the Use Failover Multicast Address setting, select the Enabled check box. 7. If you enable Use Failover Multicast Address, either accept the default Address and Port values, or specify values appropriate for the device. If you revise the default Address and Port values, but then decide to revert back to the default values, click Reset Defaults. 8. Click Update. After you perform this task, other devices in the device group can send failover messages to the local device using the specified IP addresses. Syncing the BIG-IP configuration to the device group Before starting this task, verify that all devices targeted for ConfigSync are members of a device group and that device trust has been established. This task synchronizes the BIG-IP configuration data from the local device to all devices in the group. This synchronization ensures that the entire redundant system configuration operates properly within the device group. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only. Important: Perform the following procedure on only one of the two devices. 1. On the Main tab, click Device Management > Device Groups. The Device Groups screen displays a list of existing device groups. 2. In the Group Name column, click the name of the relevant device group. 3. On the menu bar, click ConfigSync. 4. Click Synchronize To Group. Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group. Implementation result You now have a Sync-Failover device group set up with an active-standby configuration. In this configuration, each traffic group is initially configured to be active on one device. If one device goes offline, the traffic group that was active on that device becomes active on the other device in the group. Application processing for both traffic groups continues without interruption. 25

26 Create an Active-Standby Configuration 26

27 Chapter 4 Understanding Clusters Topics: Cluster overview Viewing cluster properties Viewing cluster member properties Enabling and disabling cluster members Changing a cluster-related management IP address

28 Understanding Clusters Cluster overview The slots in a VIPRION chassis work together as a single, powerful unit. This entity is called a cluster. The size of the cluster depends on the number of running blades installed in the chassis. Blades in the cluster share the overall workload, and can be configured to mirror each others connections, so that if a blade is taken out of service or becomes unavailable for some reason, any in-process connections remain intact. When a blade is installed in a slot and turned on, it automatically becomes a member of the cluster. One of the first tasks performed as part of the platform installation is to insert blades and assign a unique cluster IP address to the primary blade in the cluster. The cluster IP address is a floating management IP address used to access the primary blade to configure the system. If the primary blade becomes unavailable for any reason, the primary designation moves to a different blade, and the cluster IP address floats to that blade. This ensures that you can always access the cluster using the cluster IP address, even when the primary blade changes. When you log on to the system using the cluster IP address, you can configure features such as trunks, VLANs, administrative partitions, and virtual servers. If you have a redundant system configuration, you can configure failover IP addresses, as well as connection mirroring between clusters. Viewing cluster properties You can use the BIG-IP Configuration utility to view the properties for the cluster. 1. Use a browser to log in to the VIPRION chassis's management IP address. This logs you in to the floating IP address for the cluster. 2. On the Main tab, click System > Clusters. The Cluster screen opens, showing the properties of the cluster, and listing the cluster members. Cluster properties The Cluster screen displays the properties of the cluster. Property Name Cluster IP Address Network Mask Primary Member Software Version Software Build Description Displays the name of the cluster. Displays the IP address assigned to the cluster. Click this IP address to change it. Displays the network mask for the cluster IP address. Displays the number of the slot that holds the primary blade in the cluster. Displays the version number of the BIG-IP software that is running on the cluster. Displays the build number of the BIG-IP software that is running on the cluster. 28

29 VIPRION Systems: Configuration Property Hotfix Build Chassis 400-level BOM Status Description Displays the build number of any BIG-IP software hotfix that is running on the cluster. Displays the bill-of-materials (BOM) number for the chassis. Displays an icon and descriptive text that indicates whether there are sufficient available members of the cluster. Viewing cluster member properties You can use the BIG-IP Configuration utility to view the properties for cluster members. 1. Use a browser to log in to the VIPRION chassis's management IP address. This logs you in to the floating IP address for the cluster. 2. On the Main tab, click System > Clusters. The Cluster screen opens, showing the properties of the cluster, and listing the cluster members. 3. To display the properties for one cluster member, click the slot number of that member. The Cluster Member properties screen opens, showing the properties of that member. Cluster member properties In addition to displaying the properties of the cluster, the Cluster screen also lists information about members of the cluster. The table lists the information associated with each cluster member. Property Status Slot Blade serial number Enabled Primary HA State Description The Status column indicates whether the cluster member is available or unavailable. The Slot column indicates the number of the slot. Click this number to display the properties of that cluster member. The Blade Serial Number column displays the serial number for the blade currently in that slot. The Enabled column indicates whether that cluster member is currently enabled. The Primary column indicates whether that cluster member is currently the primary slot. The HA State column indicates whether the cluster member is used in a redundant system configuration for high availability. 29

30 Understanding Clusters Enabling and disabling cluster members To gracefully drain the connections from a cluster member before you take that blade out of service, you can mark that cluster member disabled. Before you can return that member to service, you need to enable it. Important: Perform this task while logged in to the vcmp host; not from a guest. 1. Use a browser and the cluster management IP address of the vcmp host to log in to the vcmp host (hypervisor) and access the BIG-IP Configuration utility. 2. On the Main tab, click System > Clusters. The Cluster screen opens, showing the properties of the cluster, and listing the cluster members. 3. Locate the cluster member you want to enable or disable, and select the box to the left of the Status icon. 4. Click Enable or Disable/Yield. Changing a cluster-related management IP address You can use the BIG-IP Configuration utility to view or change the properties for a vcmp cluster. Important: Perform this task while logged in to the vcmp host; not from a guest. 1. Use a browser and the cluster management IP address of the vcmp host to log in to the vcmp host (hypervisor) and access the BIG-IP Configuration utility. 2. On the Main tab, click System > Clusters. The Cluster screen opens, showing the properties of the cluster, and listing the cluster members. 3. On the menu bar, click Management IP Address. The Management IP Address screen opens. 4. Locate the specific management IP address or cluster member IP address that you would like to change, and type the new IP address. 5. Click Update. The specific management IP address or cluster member IP address that you edited is changed. You can now use that new address to access the cluster. Cluster-related IP addresses The cluster-related addresses that you can modify are defined in the table. Setting Type Cluster IP address Setting IP Address Description Specifies the management IP address that you want to assign to the cluster. This IP address is used to access the Configuration utility, as well as to function as a cluster identifier for the peer cluster in a device service clustering configuration. 30

31 VIPRION Systems: Configuration Setting Type Cluster IP address Cluster IP address Cluster Member IP Address Cluster Member IP Address Cluster Member IP Address Cluster Member IP Address Setting Network Mask Management Route Slot 1 IP Address Slot 2 IP Address Slot 3 IP Address Slot 4 IP Address Description Specifies the network mask for the cluster IP address. Specifies the gateway for the cluster IP address. Typically, this is the default route. Specifies the management IP address associated with slot 1 of the cluster. You can also set this value to None. Specifies the management IP address associated with slot 2 of the cluster. You can also set this value to None. Specifies the management IP address associated with slot 3 of the cluster. You can also set this value to None. Specifies the management IP address associated with slot 4 of the cluster. You can also set this value to None. 31

32 Understanding Clusters 32

33 Index Index B background concepts 11 base registration key, about 14 BIG-IP configuring for LTM 17 BIG-IP license, activating for VIPRION 14 C cluster definition 28 cluster IP address modifying 30 cluster member properties described 29 viewing 29 cluster members enabling and disabling 30 cluster properties described 28 viewing 28 cluster-related IP addresses described 30 config sync address specifying 22 configuration synchronization syncing to group 24, 25 connection mirroring configuring 23 connections creating pools for 17 preserving on failover 23 creating second traffic group 20 D deployment worksheet 14 device discovery for device trust 23 device groups creating 24 devices and mirroring limit 23 device trust establishing 23 DSC prerequisites 21 DSC worksheet 21 F G guests configuring LTM on 14 I initial setup configuring objects 14 L local trust domains and device groups 24 defined 23 M management IP address 28 N network failover configuring 24 P pools creating for HTTP traffic 17 pre-deployment questions 14 S self IP addresses creating 16 self IPs and VLANs 16 Sync-Failover device groups creating 24 T traffic group creating a second 21 creating non-default 20 trunks creating external 15 trust domains, See local trust domains failover IP addresses specifying 24 33

34 Index V VIPRION defined 10 VIPRION features described 10 virtual servers creating for HTTP traffic 17 VLANs and self IP addresses 16 creating external 15 X x509 certificates for device trust 23 34